Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10

Thread: More Secure?

  1. #1
    Regular Coder
    Join Date
    Mar 2005
    Posts
    240
    Thanks
    1
    Thanked 0 Times in 0 Posts

    More Secure?

    Hi there

    Just wondering if doing this on your scripts:

    Code:
    <?php include 'connection.inc.php'; ?>
    Is more secure than this:

    Code:
    <?php 
        $host = "xx"; 
        $user = "xx"; 
        $pass = "xx"; 
        $db = "xx"; 
    ?>
    Basically, will putting your connection data in an include be more secure than not...

    Thanks

  • #2
    Regular Coder ralph l mayo's Avatar
    Join Date
    Nov 2005
    Posts
    951
    Thanks
    1
    Thanked 31 Times in 29 Posts
    Doesn't really make a difference. You could argue that if the user accessible file has:

    PHP Code:
    define('FOO'1);
    include 
    'connection.inc.php'
    and the include has, at the top:
    PHP Code:
    if (!defined('FOO'))
    {
        exit();
    }

    $stuff 'otherstuff'
    //... 
    There is a bit more security.

    The idea is to keep the include from being directly accessed, where I guess it is easier to mess with. phpBB did something like this the last time I looked at it. I honestly don't know how it helps but with all the holes that have opened and closed in phpBB's security I can only assume it cuts down on some route of attack.

  • #3
    New Coder
    Join Date
    Apr 2006
    Location
    Pakistan
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ralph l mayo
    Doesn't really make a difference. You could argue that if the user accessible file has:

    PHP Code:
    define('FOO'1);
    include 
    'connection.inc.php'
    and the include has, at the top:
    PHP Code:
    if (!defined('FOO'))
    {
        exit();
    }

    $stuff 'otherstuff'
    //... 
    There is a bit more security.

    The idea is to keep the include from being directly accessed, where I guess it is easier to mess with. phpBB did something like this the last time I looked at it. I honestly don't know how it helps but with all the holes that have opened and closed in phpBB's security I can only assume it cuts down on some route of attack.
    Thanks, Post Bookmarked!

  • #4
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,285
    Thanks
    4
    Thanked 201 Times in 198 Posts
    Quote Originally Posted by losse
    Code:
    <?php include 'connection.inc.php'; ?>
    Is more secure than this:
    If you keep your includes in a directory outside of the web root it will be. Anything in that include directory can't be accessed directly at all by the web server and, in theory, should not accidently be shown if the web server config gets messed up. I always have exactly one file that the web server can see and that's index.php. Everything else lives in another directory outside of the web root.
    Dave .... HostMonster for all of your hosting needs

  • #5
    Regular Coder trib4lmaniac's Avatar
    Join Date
    Feb 2004
    Location
    Cornwall, UK
    Posts
    535
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Accessing the page doesn't make any difference anyway, unless it doesn't get parsed :|

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    If you don't have access to put the files above the root folder then placing the includes in a password protected folder is almost as good. PHP can still access them but they can't be accessed any other way without the password.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    New Coder
    Join Date
    Apr 2006
    Location
    Pakistan
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall
    If you don't have access to put the files above the root folder then placing the includes in a password protected folder is almost as good. PHP can still access them but they can't be accessed any other way without the password.
    Some people get hacked in that situtation as well!

  • #8
    Regular Coder
    Join Date
    Mar 2005
    Posts
    240
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Could someone explain what this is all about

    define('FOO', 1);
    include 'connection.inc.php';

    if (!defined('FOO'))
    {
    exit();
    }

    $stuff = 'otherstuff';
    //...
    I don't get this all that much but would love an explanation.

    Thanks!

  • #9
    New Coder
    Join Date
    Apr 2006
    Location
    Pakistan
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well let say you have this in connection.inc.php

    In the code below we say that if Constant OPEN is not defined in the included() php file then it will exit() the script means that the script will stop immediatly.

    PHP Code:
    if (!defined('OPEN'))
    {
        exit();

    This increases the security so that no one can directly access the file.

    PHP Code:
    define('OPEN' ,1); 
    will connect to the connection.inc.php otherwise if define('OPEN' ,0) will not connect to the database and same if the neither of the code is written.
    Last edited by Muhammad Haris; 04-30-2006 at 01:35 PM.

  • #10
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,461
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by Muhammad Haris
    Some people get hacked in that situtation as well!
    Yes but it is better than the alternatives if you don't have access to anywhere above the root folder on the hosting. Some people get hacked even with their files above the root too for that matter. It is all a matter of degrees of difficulty and the only way to be 100% safe is to not put the files onto a computer in the first place.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •